#48986 Test 47808 triggers buffer overflow
Closed: Fixed None Opened 3 years ago by firstyear.

=================================================================
==7590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200033c9f8 at pc 0x7fee4f62258d bp 0x7fffb403e790 sp 0x7fffb403e780
READ of size 8 at 0x60200033c9f8 thread T0
    #0 0x7fee4f62258c in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368
    #1 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413
    #2 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050
    #3 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999
    #4 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783
    #5 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971
    #6 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086
    #7 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420)
    #8 0x40fe59 in _start (/opt/dirsrv/sbin/ns-slapd+0x40fe59)

0x60200033c9f8 is located 0 bytes to the right of 8-byte region [0x60200033c9f0,0x60200033c9f8)
allocated by thread T0 here:
    #0 0x7fee5c1dc0c0 in calloc (/lib64/libasan.so.3+0xc70c0)
    #1 0x7fee5bc7b9ca in slapi_ch_calloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:188
    #2 0x7fee4f621f4f in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:302
    #3 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413
    #4 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050
    #5 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999
    #6 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783
    #7 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971
    #8 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086
    #9 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368 in uniqueness_entry_to_config
Shadow bytes around the buggy address:
  0x0c048005f8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c048005f930: fa fa fa fa fa fa 00 00 fa fa 03 fa fa fa 00[fa]
  0x0c048005f940: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f950: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c048005f960: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f980: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7590==ABORTING

ticket47823_test.py is able to trigger this also.

Agreed. tmp_config->attrs is not NULL terminated... It has to be one sizeof(char ) longer for it. :(
{{{
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index 5542ae4..e83c31d 100644
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -299,7 +299,7 @@ uniqueness_entry_to_config(Slapi_PBlock
pb, Slapi_Entry *config_entry)
}

       /* Store attrName in the config */
  • tmp_config->attrs = (const char *) slapi_ch_calloc(1, sizeof(char ));
  • tmp_config->attrs = (const char ) slapi_ch_calloc(2, sizeof(char ));
    tmp_config->attrs[0] = slapi_ch_strdup(attrName);
    argc--;
    argv++; /
    First argument was attribute name and remaining are subtrees /
    @@ -340,7 +340,7 @@ uniqueness_entry_to_config(Slapi_PBlock
    pb, Slapi_Entry config_entry)
    * - requiredObjectClass
    /
    / Store attrName in the config /
  • tmp_config->attrs = (const char *) slapi_ch_calloc(1, sizeof(char ));
  • tmp_config->attrs = (const char *) slapi_ch_calloc(2, sizeof(char ));
    tmp_config->attrs[0] = slapi_ch_strdup(attrName);
       /* There is no subtrees */
    

    }}}

commit ffda694
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 1.90 KiB | 0 bytes/s, done.
Total 13 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
04a9c89..31c0425 master -> master

I want to describe the flaw in this CVE analysis. The CVE request states:

{{{
A attacker, authenticated, but possibly also unauthenticated, could
possibly force the plugin to read beyond allocated memory and trigger a
segfault.
}}}

This is incorrect. Only an authenticated user, with write access to cn=config, specifically the uiduniq plugin configuration can trigger this. In a default install this is only directory manager. If you are directory manager, you can do so many other things, there is no need to trigger an exploit.

This is why I deemed this a stability issue, not a security issue.

Users who are anonymous or bound from a backend do not have access to trigger this.

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 1.3.6 backlog

2 years ago

Login to comment on this ticket.

Metadata